453213fb5075d82d47b8e5c18cff1d11ac9e8b6b026f893bcec566b2a87fdc76

Analysis

max time kernel
149s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe
Size

16KB
MD5

9e2d5ae21dd577836b90155af42982ae
SHA1

a80127fbbe0ae9ff60fa7fc9960077270b10c5c6
SHA256

453213fb5075d82d47b8e5c18cff1d11ac9e8b6b026f893bcec566b2a87fdc76
SHA512

c1d02a5024a52e3151e27e8de753c317cd87faa616ee1acffd73cad7d1a24a3dd9b52de07096dbba184b2b446ca8bcbca93c927b161bf1f625515b212431d540
SSDEEP

384:0neExJrCSFi0OwPS+B6mB6ZTnoPzlImMej9W:0eExJOuiV0BDBuorlIHcW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msoscqit00.dll	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe
File opened for modification	C:\Windows\SysWOW64\msoscqit00.dll	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe
1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	services.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 260	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	7
PID 1972 wrote to memory of 260	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	7
PID 1972 wrote to memory of 260	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	7
PID 1972 wrote to memory of 260	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	7
PID 1972 wrote to memory of 260	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	7
PID 1972 wrote to memory of 332	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	6
PID 1972 wrote to memory of 332	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	6
PID 1972 wrote to memory of 332	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	6
PID 1972 wrote to memory of 332	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	6
PID 1972 wrote to memory of 332	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	6
PID 1972 wrote to memory of 368	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	5
PID 1972 wrote to memory of 368	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	5
PID 1972 wrote to memory of 368	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	5
PID 1972 wrote to memory of 368	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	5
PID 1972 wrote to memory of 368	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	5
PID 1972 wrote to memory of 380	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	4
PID 1972 wrote to memory of 380	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	4
PID 1972 wrote to memory of 380	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	4
PID 1972 wrote to memory of 380	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	4
PID 1972 wrote to memory of 380	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	4
PID 1972 wrote to memory of 416	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	3
PID 1972 wrote to memory of 416	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	3
PID 1972 wrote to memory of 416	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	3
PID 1972 wrote to memory of 416	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	3
PID 1972 wrote to memory of 416	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	3
PID 1972 wrote to memory of 460	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	2
PID 1972 wrote to memory of 460	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	2
PID 1972 wrote to memory of 460	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	2
PID 1972 wrote to memory of 460	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	2
PID 1972 wrote to memory of 460	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	2
PID 1972 wrote to memory of 476	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	1
PID 1972 wrote to memory of 476	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	1
PID 1972 wrote to memory of 476	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	1
PID 1972 wrote to memory of 476	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	1
PID 1972 wrote to memory of 476	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	1
PID 1972 wrote to memory of 484	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	8
PID 1972 wrote to memory of 484	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	8
PID 1972 wrote to memory of 484	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	8
PID 1972 wrote to memory of 484	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	8
PID 1972 wrote to memory of 484	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	8
PID 1972 wrote to memory of 588	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	25
PID 1972 wrote to memory of 588	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	25
PID 1972 wrote to memory of 588	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	25
PID 1972 wrote to memory of 588	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	25
PID 1972 wrote to memory of 588	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	25
PID 1972 wrote to memory of 664	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	24
PID 1972 wrote to memory of 664	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	24
PID 1972 wrote to memory of 664	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	24
PID 1972 wrote to memory of 664	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	24
PID 1972 wrote to memory of 664	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	24
PID 1972 wrote to memory of 748	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	23
PID 1972 wrote to memory of 748	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	23
PID 1972 wrote to memory of 748	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	23
PID 1972 wrote to memory of 748	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	23
PID 1972 wrote to memory of 748	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	23
PID 1972 wrote to memory of 800	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	22
PID 1972 wrote to memory of 800	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	22
PID 1972 wrote to memory of 800	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	22
PID 1972 wrote to memory of 800	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	22
PID 1972 wrote to memory of 800	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	22
PID 1972 wrote to memory of 844	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	21
PID 1972 wrote to memory of 844	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	21
PID 1972 wrote to memory of 844	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	21
PID 1972 wrote to memory of 844	1972	a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe	21

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:460
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1016
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:300
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:872
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe
"C:\Users\Admin\AppData\Local\Temp\a80127fbbe0ae9ff60fa7fc9960077270b10c5c6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\tmpF691.tmp

Filesize
11KB

MD5
2ac0207c62995bc03375d00eae037a81

SHA1
3eadf197d956046f2acb5525a8ac72859f7b5b7f

SHA256
3eae5334252b9fe034eea855102a31784ff78ee290a784fb26d7ca752a469257

SHA512
002236bebc888322aa190fc0eee9fc1fcd1b278c5ba2f9fc135bd59aba227dceb21d83abffd4cfaa5eaf5917c2eb93f17ec5be4047b055f855a4ced40e985ba9

Download Submit
memory/1972-55-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download